Governance & Risk Management , Incident & Breach Response , Managed Detection & Response (MDR)

Canada's Mandatory Breach Notification Rules Now in Effect

Organizations Must Comply With Data Breach Reporting Requirements or Face Fines
Canada's Mandatory Breach Notification Rules Now in Effect

Private sector organizations in Canada must now report all serious data breaches to the country's privacy watchdog.

See Also: Gartner Guide for Digital Forensics and Incident Response

As of Nov. 1, new provisions in the country's Personal Information Protection and Electronic Documents Act came into force, which include mandatory tracking of all data breaches by all organizations, large and small. Such records must be stored for at least two years.

Since 2001, Canada's PIPEDA privacy law has applied to private sector organizations. "The act ... sets out rules that organizations must follow when collecting, using or disclosing personal information in the course of their commercial activities," according to a Canadian government overview. "The Office of the Privacy Commissioner (OPC) enforces PIPEDA by overseeing whether organizations are complying with the act's obligations."

Over the last three years, however, Parliament has been tweaking PIPEDA to add mandatory breach notification (see: Preparing for PIPEDA).

Canadian Privacy Commissioner Daniel Therrien

"The number and frequency of significant data breaches over the past few years have proven there's a clear need for mandatory reporting," says Canadian Privacy Commissioner Daniel Therrien.

"Mandatory breach reporting and notification will create an incentive for organizations to take security more seriously and bring enhanced transparency and accountability to how organizations manage personal information," says Therrien, who has served in his role since June 5, 2014.

Ahead of the new PIPEDA rules going into effect, the OPC on Monday released its final guidance on the new PIPEDA rules as well as a new form for reporting breaches.

Organizations are now required to alert the OPC to any data exposure, as well as if they have failed to put appropriate measures in place. "A breach of security safeguards is defined in PIPEDA as: the loss of, unauthorized access to or unauthorized disclosure of personal information resulting from a breach of an organization's security safeguards ... or from a failure to establish those safeguards," the OPC's guidance reads.

Organizations must keep a report of all breaches, but only need to report breaches "that pose a real risk of significant harm, and to keep records of all breaches of security safeguards," the OPC says. But the privacy commissioner can request these reports at businesses at any time.

What is real risk of significant harm? Significant harm includes bodily harm, humiliation, damage to reputation or relationships, loss of employment, business or professional opportunities, financial loss, identity theft, negative effects on the credit record and damage to or loss of property. Factors that are relevant to determining whether a breach of security safeguards creates a real risk of significant harm include the sensitivity of the personal information involved in the breach of security safeguards and the probability the personal information has been/is/will be misused.
Source: OPC

In terms of the potential number of victims, there is no reporting threshold. "Whether a breach of security safeguards affects one person or a 1,000, it will still need to be reported if your assessment indicates there is a real risk of significant harm resulting from the breach," the OPC says. Organizations must also directly notify affected individuals.

"If a breach triggers notification due to a real risk of significant harm, 'any government institutions or organizations that the organization believes ... may be able to reduce the risk of harm ... or mitigate the harm' resulting from the breach must also be notified," according to an analysis of the new rules published by the cybersecurity and privacy practice at global law firm Hunton Andrews Kurth LLP.

Data Control

An organization is also responsible for reporting any security breaches that involve data that is "under its control," according to the new rules.

Hunton says the OPC has clarified that statement in its final guidance. "In general, when an organization (the 'principal') provides personal information to a third-party processor (the 'processor'), the principal may reasonably be found to be in control of the personal information it has transferred to the processor, triggering the reporting and record-keeping obligations of a breach that occurs with the processor," the law firm notes.

"On the other hand, if the processor uses or discloses the same personal information for other purposes, it is no longer simply processing the personal information on behalf of the principal; it is instead acting as an organization 'in control' of the information, and would thereby have the obligation to notify, report, and record."

Takeaway: Organizations must assess all breaches on a case-by-case basis, as well as ensure they have the right contractual obligations in place to ensure that any third parties that handle its data take appropriate steps to secure it, Hunton says.

Violators May Be Fined

Cases involving organizations that violate the PIPEDA breach-reporting guidelines may be referred by the OPC to the office of the attorney general of Canada, which may decide to prosecute.

"The OPC does not prosecute offenses under PIPEDA or issue fines," OPC says. "What the OPC can do is refer information relating to the possible commission of an offense to the attorney general of Canada, who would be responsible for any ultimate prosecution."

Organizations that deliberately fail to report a data breach to authorities will be subject to a fine of up to CAN$100,000 (US$76,000). Organizations that deliberately fail to notify any data breach victim will be subject to a separate fine of up to $100,000 for every individual. Finally, "deliberately failing to keep, or destroying data breach records will also be an offense, subject to a fine of up to $100,000," according to a government overview of the new requirements.

Commissioner Slams 'Superficial' Approach

Therrien, Canada's privacy commissioner, has described the new data breach reporting requirements as "imperfect but a step in the right direction."

"He has raised concerns that the reporting requirements fall short in that, for example, they don't ensure that breach reports to his office provide the information necessary to assess the quality of organizations' safeguards," according to OPC. "As well, the government has not provided the privacy commissioner's office with resources to analyze breach reports, provide advice and verify compliance. As a result, the office's work will be somewhat superficial and the regime will be less effective in protecting privacy."

That language echoes a privacy report Therrien submitted to Parliament in September.

Privacy Rights in the GDPR Era

To be sure, the OPC is seriously underpowered in comparison with enforcement of the EU's General Data Protection Regulation. The data protection authorities in each of the 28 EU member states enforce GDPR.

Organizations that fail to comply with GDPR's privacy requirements face fines of up 4 percent of their annual global revenue or €20 million ($23 million), whichever is greater. Organizations that fail to comply with GDPR's reporting requirements also face a separate fine of up to €10 million ($13 million) or 2 percent of annual global revenue (see: GDPR Effect: Data Protection Complaints Spike).

Some Canadian lawmakers have also voiced concerns that in this era of massive Facebook and Equifax data breaches, the OPC lacks sufficient resources or necessary enforcement capabilities.

So far, however, Parliament has not made any substantive moves to beef up the OPC.

The privacy commissioner would be given the power to fine rule breakers up to $30 million under a private member's bill sponsored by Liberal MP Nathaniel Erskine-Smith, who is a vice chair of the Commons privacy committee, CTV News reports.

But such bills rarely become law, in part because very little time is allocated in Parliament to discuss or advance any private member's bill.


About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe, ISMG

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the executive editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, among other publications. He lives in Scotland.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing govinfosecurity.com, you agree to our use of cookies.